I wonder if anyone can have a think about this.
On the drive I am examining there are thousands of entries in the IE history files.
Looking further into the IE activity I was looking at the typedurls entry in the users HCKU contained in NTUSER. The typedurls key only has a few entries, none of which relate to the content in IE history.
I understand that typedurls returns only those urls a user typed in the address bar but in this case I cant workout how the user viewed the sites they did without at least going to google or something first.
Any suggestions on what is happening here? I need to boot the machine up in VFC really but today I ran out of time.
Thanks as always for your help.
The typedurls key only has a few entries, none of which relate to the content in IE history.
No entries in typedurls correspond to the content in either history files or index.dat?
If you are seeing traces of searches it might be that they are using a search bar integrated into IE (google toolbar, IE7 built-in, etc.), or even have a search engine in their favorites. Both using a search bar or a favorite will not leave a trace in typedurls.
Hvva
The TypedURLs key also can be populated by pasting an entry and a few other more esoteric means, some of which are not, AFAIK, totally understood. With few exceptions, I don't rely very heavily on any data in that key. If you see a lot of straughtforward addresses, e.g., www .site.com, of a similar variety, you could probably consider that as circumstantial evdience of the nature of the user's interests.
Agree with Jimmy, I have seen some weird and wonderful URL's in that key that were very likely NOT typed or pasted by User.
u can use this forensics software - X-ways trace. It gives u all data sites visited even the not-typed urls.